Feedback

Chat Icon

Helm in Practice

Designing, Deploying, and Operating Kubernetes Applications at Scale

Provenance and Integrity in Helm Charts
82%

Publishing Signed Charts to an OCI Registry

When working with OCI-based registries like Harbor, the process differs slightly from classic chart repositories. OCI registries store charts as OCI artifacts, and the provenance file needs to be handled differently.

The Challenge with OCI Registries

Unlike classic chart repositories, where both the .tgz and .prov files are stored side by side and accessed via HTTP, OCI registries treat charts as container artifacts. The standard helm push command pushes the chart package but does not include the provenance file as part of the OCI artifact.

This means that when you run:

helm push hello-world-0.1.0.tgz \
    oci://$MASTER_PUBLIC_IP:30003/helm-charts

Only the chart package is pushed; the .prov file is left behind.

Option 1: Manual Provenance Distribution

The simplest approach is to distribute the provenance file separately. Start by creating a project on Harbor called helm-charts (if you haven't already). This is important; otherwise, you may encounter errors when pushing charts.

After pushing the chart to Harbor:

# Login to Harbor
helm registry login $MASTER_PUBLIC_IP:30003 \
  --username admin \
  --password Harbor12345

# Push the signed chart to Harbor
helm push $HOME/hello-world-0.1.0.tgz oci://$MASTER_PUBLIC_IP:30003/helm-charts

# Push the provenance file to a remote server
scp $HOME/hello-world-0.1.0.tgz.prov user@yourserver:/path/to/provenance/files/

You can store the .prov file in a separate location (e.g., a web server, S3 bucket, or Git repository) and provide instructions for users to download it before verification:

# User downloads the chart
helm pull oci://$MASTER_PUBLIC_IP:30003/helm-charts/hello-world --version 0.1.0

# User downloads the provenance file from your distribution point
scp user@yourserver:/path/to/provenance/files/hello-world-0.1.0.tgz.prov .

# User verifies the chart
helm verify hello-world-0.1.0.tgz

This approach works, but it requires additional infrastructure and manual steps.

Option 2: Using ORAS to Push Provenance as an OCI Artifact

ORAS (OCI Registry As Storage) is a tool that allows you to push arbitrary files to OCI registries. You can use it to store the provenance file alongside your chart:

# Install ORAS (if not already installed)
cd /tmp
curl -LO https://github.com/oras-project/oras/releases/download/v1.3.0/oras_1.3.0_linux_amd64.tar.gz
tar -xzf oras_1.3.0_linux_amd64.tar.gz
sudo mv oras /usr/local/bin/

# Login to Harbor
oras login $MASTER_PUBLIC_IP:30003 \
    --username admin \
    --password Harbor12345 \
    --insecure

# Create the archive and the provenance file as an OCI artifact
cd $HOME
helm package hello-world --sign \
    --key 'John The Signer' \
    --keyring $HOME/.gnupg/secring.gpg

# Push the provenance file as an OCI artifact

Helm in Practice

Designing, Deploying, and Operating Kubernetes Applications at Scale

Enroll now to unlock current content and receive all future updates for free. Your purchase supports the author and fuels the creation of more exciting content. Act fast, as the price will rise as the course nears completion!

Unlock now  $15.99$11.99

Hurry! This limited time offer ends in:

To redeem this offer, copy the coupon code below and apply it at checkout:

Learn More
Previous Next